Cyber-Insurance Valuable yet Still Needs to Evolve
Insurance firms need more tools to better gauge risk and appropriately cover businesses for damages sustained during cyber-attacks.While cyber-insurance could significantly help companies reduce their risk and direct businesses to develop better security practices, the insurance industry still lacks the maturity and the ability to determine clients' risk, according to an analysis conducted by security-information firm NSS Labs. In the wake of the Target breach, the cyber-insurance industry has done a great deal of soul searching. While Target reportedly had $100 million in insurance with a $10 million deductible, the company had to combine several policies—in what the insurance industry calls a "tower"—to reach that limit. Following the breach, insurance companies have become more hesitant to take part in any such aggregation to offset the risk of cyber-attacks, according to industry experts. Until carriers can find better ways to continuously measure and assess risk, however, the cyber-insurance market will develop slowly, Andrew Braunberg, researcher director at NSSLabs, told eWEEK. "Insurance carriers do well in those industries where they have enough data to efficiently determine risk, such as home, fire and car," he said. "In cyber, however, there is an asymmetry between what they know about an organization's security and the company's risk profile; they are at a disadvantage there."
Insurance companies typically have to determine the degree to which potential clients are targeted by attackers and the maturity of the client's security processes. Yet insurance carriers also need more detailed information than they currently can collect, according to NSS Labs. The carriers need to determine the attack landscape, such as what vulnerabilities and exploits are being used, the effectiveness of security controls and the value of a business' information assets.